ISC is reporting that they’re seeing exploits of MS09-002 in the wild. MS09-002 is an exploit which allows for remote code execution on IE7. The vulnerability was first reported to MS in October of 2007 by the Zero Day Initiative. Microsoft issued the patch a week ago. Given this, ISC is also claiming that it is likely that the patch was reverse engineered to find the vulnerability, and I would have to agree. I’m sure the anti-disclosure crowd will be using this one as proof positive for their position in the future.

The Conficker worm author is the latest to latest to have a bounty placed on his/her head. While I’m not inherently opposed to rewarding people who turn in criminals (it certainly has been standard practice in the non-cyber world for centuries). However, I think that in this case the organization offering the bounty is simply trying to look “tough on crime” after suffering for decades due to their lax security posture.

update On a related topic, when doing some background research on conficker, I stumbled across the following headline:

Regarding my previous post on how Palin’s email was broken into, it turns out I was dead on. Security questions are just a bad idea.

Alaska Governor and VP nominee Sara Palin’s yahoo account has been compromised, evidently by the group “anonymous“. (Is her fantasy football team okay?) I’m going to go out on a limb now and make en educated guess on how this happened. Chances are they won’t reveal how it actually occurred, but given the situation and given what I know about Yahoo email accounts, I’m fairly certain I know how it happened. Yahoo employs “security questions” if you forget your password. In the past you had to know a person’s zip code, birth date, and the answer to one “security” question to reset an account password. As of when I checked just now the procedure has changed to be just a security question. The problem for someone like Palin is that in the last month or so, every fact about her life has become public. It would be trivial to find out her zip code, birth date, and just about everything else about her that could be used as a security question. This makes it easy for a hacker to use this “security feature” to gain access to the account.

The truth is, all of those “forgot my password”links are usually great ways for hackers to break into accounts.

It looks like the first computer virus to cross into outer space is the W32.Gammima.AG worm.

As a followup to my previous post about cyber-war, it looks like the cyber-attacks against Georgia started before the Russian invasion. Although interesting, it doesn’t change the basic concept of cyber-war very much. The initial attacks garnered little attention until they were combined with conventional kinetic warfare. The reason is simple – cyber-war, on it’s own, doesn’t do a whole lot.

I got way behind on my reading over the past few days. Now that I’m catching up I noticed that TippingPoint has launched Threatlinq. a product which provides a lot of information about the global attack landscape. It looks very interesting and seems to have a lot of good data. It would be interesting to poke around in their data and try to come up with interesting conclusions, but alas it is only available to their customers. Rats.

In the spring of 2007, the world’s first real cyber-war commenced. Now, with hostilities in the same area of the world flaring up again, we appear to have the world’s second cyber-war. Although the history of cyber-war is still very new, it is interesting to note that in the first case cyber-war was performed in the absence of state sponsored military action, while in the second case it only supplemented the tanks, guns, and bombs that go along with conventional warfare. In the former case the damage may have been swift and shocking, but it was also temporary and somewhat ephemeral. No lives were lost, no infrastructure was permanently crippled. (There are however a lot of lessons learned – the postmortem interview with Estonia’s secretary of defense is highly recommended.) In the latter case, the war seems to be having serious geopolitical ramifications, but the effect of the cyber-attacks is as of yet unclear. All that we can currently say for certain is that it has helped to weaken the Georgian PR machine, which in this era of 24 hour news cycles,  UN resolutions, and the more globally connected world, is more important during wartime than ever before. What the future of cyber-war entails I clearly can’t tell for certain, but I do have a feeling that it can’t stand on it’s own. Cyber-war may get people’s attention, force societies to alter how they function in the short term, and annoy people who can’t check their bank balances, but they don’t have serious geopolitical implications when they stand on their own. Cyber-war works best when it works in concert with conventional warfare.

This year blackhat debuted the pwnie awards – given out (mostly) for massive failures in the field of information security. The candidates were nominated in July, and the winners last night, although the list of winners is not on the pwnie website as of yet. If you’re curious, a little digging revealed the award winners here. It was hard to argue with any of the winners.

Piggybacking on something I wrote about earlier, with the proliferation of WoW credential stealing bots, WoW is now offering two-factor authentication to its users. It makes sense frankly. WoW needs to keep their customers happy to keep their bottom line, and they’ve begun to realize that all passwords are inherently weak.